Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33011

CVE-2026-33011: NestJS Nest Auth Bypass Vulnerability

CVE-2026-33011 is an authentication bypass flaw in NestJS Nest framework that allows attackers to skip middleware via HEAD requests. This post covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-33011 Overview

CVE-2026-33011 is an authorization bypass vulnerability in NestJS, a popular framework for building scalable Node.js server-side applications. The vulnerability exists in versions 11.1.15 and below when using @nestjs/platform-fastify. Due to Fastify's automatic redirection of HEAD requests to corresponding GET handlers, middleware registered for GET routes can be completely bypassed when an attacker sends a HEAD request instead.

This bypass occurs because the middleware module only checked if the actual request method matched the registered middleware method, without accounting for Fastify's HEAD-to-GET redirection behavior. The result is that security-critical middleware such as authentication, authorization, rate limiting, or logging can be entirely skipped while the underlying handler still executes.

Critical Impact

Security middleware protecting sensitive endpoints can be completely bypassed by sending HEAD requests, potentially exposing protected resources and allowing unauthorized access to application functionality.

Affected Products

  • NestJS Nest versions 11.1.15 and below
  • Applications using @nestjs/platform-fastify adapter
  • GET endpoints with middleware protection

Discovery Timeline

  • 2026-03-20 - CVE CVE-2026-33011 published to NVD
  • 2026-03-23 - Last updated in NVD database

Technical Details for CVE-2026-33011

Vulnerability Analysis

This vulnerability stems from an incomplete control flow implementation (CWE-670) in the NestJS middleware module when integrated with the Fastify HTTP adapter. When a NestJS application uses @nestjs/platform-fastify, Fastify's routing behavior automatically redirects incoming HEAD requests to their corresponding GET handlers if no explicit HEAD handler is defined.

The middleware execution logic in packages/core/middleware/middleware-module.ts previously only verified that the incoming request method matched the method for which the middleware was registered. Since HEAD requests are redirected to GET handlers but retain their original request method of HEAD, middleware registered specifically for GET routes would not execute.

This creates a significant security gap: authentication middleware, authorization checks, input validation, rate limiting, and audit logging can all be bypassed simply by changing the HTTP method from GET to HEAD. While the response body is truncated (as per HTTP specification for HEAD requests), the handler still executes, potentially causing side effects or leaking information through response headers.

Root Cause

The root cause is the failure to account for HTTP protocol semantics where HEAD requests should behave identically to GET requests except for the response body. The middleware execution condition only checked for exact method matches without considering that Fastify redirects HEAD to GET handlers. The original code used a simple equality check applicationRef.getRequestMethod?.(req) === requestMethod which did not handle the HEAD-to-GET redirection case.

Attack Vector

An attacker can exploit this vulnerability by sending HTTP HEAD requests to endpoints that are protected by middleware registered for GET routes. The attack is network-based and requires no authentication or user interaction. The attacker simply replaces GET with HEAD in their HTTP request to bypass all GET-registered middleware while still triggering the handler execution.

typescript
// Security patch showing the fix in middleware-module.ts
// Source: https://github.com/nestjs/nest/commit/cbdf737cd6e7cefa52d05ecea2ae4af95c464614

           res: TResponse,
           next: () => void,
         ) => {
-          if (applicationRef.getRequestMethod?.(req) === requestMethod) {
+          const actualRequestMethod = applicationRef.getRequestMethod?.(req);
+          if (
+            actualRequestMethod === requestMethod ||
+            (actualRequestMethod === RequestMethod[RequestMethod.HEAD] &&
+              requestMethod === RequestMethod[RequestMethod.GET])
+          ) {
             return proxy(req, res, next);
           }
           return next();

Source: GitHub Commit cbdf737

Detection Methods for CVE-2026-33011

Indicators of Compromise

  • Unusual volume of HTTP HEAD requests to API endpoints that typically receive GET requests
  • HEAD requests to authenticated endpoints that return 200 status codes without triggering authentication logs
  • Access logs showing HEAD requests to sensitive endpoints without corresponding middleware execution logs
  • Discrepancies between request counts in application logs versus web server access logs

Detection Strategies

  • Enable detailed HTTP method logging at the web server and application level to identify HEAD request patterns
  • Implement monitoring rules to alert on HEAD requests to sensitive or protected endpoints
  • Review application middleware execution logs for gaps where requests reached handlers without middleware processing
  • Deploy Web Application Firewall (WAF) rules to flag or block suspicious HEAD request patterns to protected resources

Monitoring Recommendations

  • Configure application performance monitoring (APM) tools to track middleware execution for all HTTP methods
  • Set up alerts for HEAD requests to endpoints that should only accept GET requests with full middleware chains
  • Monitor for authentication bypass indicators such as successful responses to protected endpoints without valid session tokens
  • Implement request method auditing to detect method-switching attack patterns

How to Mitigate CVE-2026-33011

Immediate Actions Required

  • Upgrade NestJS to version 11.1.16 or later immediately for all applications using @nestjs/platform-fastify
  • Audit all GET middleware to identify security-critical functionality that may have been bypassed
  • Review access logs for evidence of exploitation via HEAD request patterns
  • Consider temporarily blocking HEAD requests at the load balancer or WAF level until patching is complete

Patch Information

The vulnerability is fixed in NestJS version 11.1.16. The patch modifies the middleware execution logic to ensure that GET-registered middleware also runs for HEAD requests, maintaining proper HTTP semantics while preserving security controls. The fix is available in commit cbdf737cd6e7cefa52d05ecea2ae4af95c464614.

For detailed patch information, see the GitHub Security Advisory GHSA-wf42-42fg-fg84 and the v11.1.17 Release Notes.

Workarounds

  • Register middleware explicitly for both GET and HEAD methods on all protected routes
  • Implement a global middleware or interceptor that enforces security checks regardless of HTTP method
  • Configure the reverse proxy or load balancer to reject HEAD requests to sensitive endpoints
  • Use route guards instead of or in addition to middleware for critical security checks
bash
# Upgrade NestJS packages to patched version
npm update @nestjs/core @nestjs/platform-fastify
# Or specify the minimum safe version
npm install @nestjs/core@^11.1.16 @nestjs/platform-fastify@^11.1.16

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne